Can we trust iCloud?

After hearing about all the leaked nude celebrity photos, one can’t help but think, “Is this service safe at all?”. To that end, I was recently asked to appear on WBIR to discuss the issues surrounding the leaked photos.

So how did it happen? Initial reports from Apple indicate that the photos were stolen using several methods, but most were from ripped iCloud backups. How does that work? Well, several ways. Attackers can either guess your password, use tools to crack your password, or reset your password by guessing the answers to your security questions. Once they have your password, there are several software packages out there that let you download and open (or “rip”) the backup files. Anything that is inside those backup files is now fair game to the attacker… enter celeb nudie pix.

As I mention in the TV spot, many bloggers have come out and talked about Apple’s two-factor authentication as a cure for this problem. While Apple’s two-factor authentication should definitely be leveraged, it unfortunately would not have helped in this situation. Apple’s two-factor auth is limited in scope and doesn’t cover some very important pieces; namely these iCloud backups and your photostream. So how do we protect ourselves? Well, first and foremost, we HAVE to start using strong passwords. I suggest in this TV spot that if it is convenient for you to remember, it is probably convenient for the attacker to guess or crack. When passwords are the only option, then we have to start thinking in terms of passphrases. Instead of fluffy or Pa$$w0rd, we need to be thinking “I love my d0g and her name is Fluffy!”. Yes it’s long, and yes it takes a little getting used to typing… but it would also take a good while to crack. Part two of this scenario would be to use strong answers to these security questions. By strong answers, I mean answers that aren’t the true and well documented answers. If you were born in Lexington, Kentucky, and this fact is all over your Facebook profile and you’ve mentioned it on Twitter, it’s a bad idea to use this as the answer to your security question. To take that one step further, if it is public record, don’t use it. Here’s the fun part though, no one is checking to confirm that what you write is an actual place. So for “City where you were born” you could answer Michael Jackson. I bet THAT’S not documented anywhere. Food for thought.

The last thing I want to bring up here has gotten me in a bit of hot water with a certain segment of the population. This would be the idea of not taking nude pictures of yourself to begin with. I suggested this online immediately after the photos were leaked, and immediately got chastised by several people for “victim blaming”. Other popular tweets around this idea were ones like “You shouldn’t take the picture is the new she shouldn’t have worn that short skirt” and other references to rape culture. I get it, I really do. In no way does me saying this mean to imply that somehow the guilty parties that broke into these women’s accounts are any less guilty. You should absolutely be able to take whatever kinds of pictures of yourself you’d like to, without fear of them showing up in places you didn’t intend, just like you *should* be able to drop your young kids off to play at a playground by themselves with zero regard for the area of town you’re in or the time of day. The latter is obvious. As a good parent you’d never drop your kid off in a bad part of town at 2AM, so why is it bad to suggest that perhaps the former is an obvious no-brainer as well? To me, it’s about taking personal responsibility for our own data and our own lives and doing the “smart” thing in the context of the day and time in which we live. You *should* be able to take those pictures, but that fact that these pictures are now living on a device that is backing itself up to storage that is on the internet and secured by imperfect systems (because we as humans are involved in the security process) should give us all the same pause as that bad neighborhood at 2AM does.

Frankly, the internet is a bad neighborhood that just so happens to have some pretty houses in it, and we all have to start treating it that way.